(The following pre-advisory is also available in PDF format for download at:
http://www.cybsec.com/vuln/CYBSEC-Security_Pre-Advisory_SAP_IGS_Undocumented_Features.pdf )
CYBSEC S.A.
www.cybsec.com
http://www.cybsec.com/vulnerability_policy.pdf
"The IGS provides a server architecture where data from an SAP System or other sources can be used to
generate graphical or non-graphical output."
It is important to note that IGS is installed and activated by default with the Web Application Server
(versions >= 6.30)
Undocumented features have been discovered in SAP IGS service, some of which may signify security
risks.
Technical details will be released three months after publication of this pre-advisory. This was
agreed upon with SAP to allow their customers to
upgrade affected software prior to technical knowledge been publicly available.
Successful exploitation of this vulnerability allows to remotely shutdown SAP IGS service, access
configuration files and to perform unauthorized
actions over service deployment.
SAP has released patches that disable the default-enabled access to the service HTTP interface.
Beside, some commands has been disabled. Affected
customers should apply the patches immediately.
More information can be found on SAP Notes 959358 and 965201.
Thanks goes to Carlos Diaz and Victor Montero.
For more information regarding the vulnerability feel free to contact the author at mnunez {at}
cybsec.com. Please bear in mind that technical details
will be disclosed to the general public three
months after the release of this pre-advisory.
For more information regarding CYBSEC: www.cybsec.com
(c) 2006 - CYBSEC S.A. Security Systems